Pulling information data from within a database SQL 2008 of an application
There is an application (IBMS) database running on SQL server 2008 that we need to integrate with Envision.
However, the catch here is that we're not interested in the OS windows event logs, nor in the SQL trace files which capture all audit trail activities on the SQL DB.
What we're interested in is the actual content (raw logs/information) stored within the DB. For instance, when employees punch their cards in on IBMS gateways, a log of the activity is sent to the IBMS application where it is stored within the DB. We're interested in integrating the IBMS application so we may receive these employee-IBMS-interaction logs on Envision as well.
As far as I understand it, the only way to receive the logs for employee-IBMS-interactions is to pull this information (raw logs) from the IBMS application database itself. The question here that I have is, whether this is possible with Envision (or even SA as a matter of fact) or not?
Any alternative suggestions and/or a resolution/tip/guidance/indicator/solution on the issue will be very helpful and appreciated.
- Community Thread
- Forum Thread
- RSA enVision
Sounds like you want to integrate a custom table on "enVision", well i did that with DB2 and Oracle database.
1st you need to install the right ODBC driver for your database (SQL server) on the LC and make sure that you can conect. Make sure that the user that you use for connect has the privilege to make "select" on the target table.
2nd you have to create a custom "gots" file. Do this from the GUI on Manage ODBC types. you can use as example the "oracle_fga" type.
After that you have to create a service for this source (Manage ODBC services) and restart NIC ODBC Service on the LC, at this point you should see a new device as unknow and Its logs on event viewer.
The last step is create a xml file for parser your new device (UDS).
I Hope this help you.
Thanks for the response. Please bear with me on this, but I need some further clarification.
Continuing the query further -
Under Manage ODBC Types, I can see there is an option for MSSQL as well. However, the fields within weren't of much help in this quest to pull data from within custom tables of a database.
Just to confirm, for SQL DB, RSA provides a default Stored Procedure designed to collate information from across the DB, which is then executed via SIEM (Manage ODBC Types -> MSSQL configuration page), resulting in a trace file, which is then harvested by the SIEM collector? Is that a correct understanding?
Now, you'd recommended following the Oracle_FGA configuration template to extract data from a custom database table.
Here are some excerpts from the Oracle_FGA configuration page.
Data query: SELECT SESSION_ID, "TIMESTAMP", DB_USER, OS_USER, USERHOST, CLIENT_ID, EXT_NAME, OBJECT_SCHEMA, OBJECT_NAME, POLICY_NAME, SCN, COMMENT$TEXT, STATEMENT_TYPE, PROXY_SESSIONID, GLOBAL_UID, INSTANCE_NUMBER, OS_PROCESS, TRANSACTIONID, STATEMENTID, ENTRYID, SQL_TEXT, SQL_BIND FROM "SYS"."DBA_FGA_AUDIT_TRAIL" WHERE SYSDATE-(2/(3600*24)) > "TIMESTAMP" AND "TIMESTAMP" > to_date('%TRACKING%','yyyy-mm-dd hh24:mi:ss')
Max tracking query:SELECT TO_CHAR(MAX(cast(TIMESTAMP as date)),'yyyy-mm-dd hh24:mi:ss') FROM "SYS"."DBA_FGA_AUDIT_TRAIL"
Tracking column: TIMESTAMP
I'm finding it a little hard to make sense of the query above, with respects to a custom table from within the database.
You see, I've got a simple requirement, for instance SELECT name FROM dbo.P_POLICY of my RSA_DLP_EM database.
How can I simply collect the actual value stored within the name column of the P_POLICY dbo from within the RSA_DLP_EM DB?